Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

4-32

FireSIGHT eStreamer Integration Guide

Chapter 4 Understanding Discovery & Connection Data Structures

Metadata for Discovery Events

The following table describes the fields in the Security Intelligence Source/Destination record.

Discovery Event Header 5.2+

Discovery and connection event messages contain a discovery event header. It conveys the type and
subtype of the event, the time the event occurred, the device on which the event occurred, and the
structure of the event data in the message. This header is followed by the actual host discovery, user, or
connection event data. The structures associated with the different event type/subtype values are
described in

Host Discovery Structures by Event Type, page 4-36

. This header has IPv6 support, and

deprecates

Discovery Event Header 5.0 - 5.1.1.x, page B-55

The event type and event subtype fields of the discovery event header identify the structure of the
transmitted event message. After the structure of the event data block is determined, your program can
parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

Table 4-24

Security Intelligence Source/Destination Record Fields

Field

Data Type

Description

Security Intelligence
Source/ Destination ID

uint32

The Security Intelligence source/destination ID number.

Security Intelligence
Source/ Destination
Length

uint32

The number of bytes included in the Security Intelligence
source/destination.

Security Intelligence
Source/ Destination

string

Whether the detected IP address is a source or destination IP
address.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)